[PATCH 01/10] man: display number ranges with an en dash

[PATCH 01/10] man: display number ranges with an en dash

[Jan Engelhardt]

For ranges, en dashes should be used; cf. e.g.
https://en.wikipedia.org/wiki/Dash#En_dash .

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 extensions/libipt_ULOG.man |  2 +-
 extensions/libxt_NFLOG.man |  2 +-
 extensions/libxt_dscp.man  |  2 +-
 extensions/libxt_u32.man   | 16 ++++++++--------
 iptables/ebtables-nft.8    | 22 +++++++++++-----------
 5 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/extensions/libipt_ULOG.man b/extensions/libipt_ULOG.man
index c91f7764..c828b45e 100644
--- a/extensions/libipt_ULOG.man
+++ b/extensions/libipt_ULOG.man
@@ -9,7 +9,7 @@ Like LOG, this is a "non-terminating target", i.e. rule traversal
 continues at the next rule.
 .TP
 \fB\-\-ulog\-nlgroup\fP \fInlgroup\fP
-This specifies the netlink group (1-32) to which the packet is sent.
+This specifies the netlink group (1\(en32) to which the packet is sent.
 Default value is 1.
 .TP
 \fB\-\-ulog\-prefix\fP \fIprefix\fP
diff --git a/extensions/libxt_NFLOG.man b/extensions/libxt_NFLOG.man
index 318e6305..093704a1 100644
--- a/extensions/libxt_NFLOG.man
+++ b/extensions/libxt_NFLOG.man
@@ -9,7 +9,7 @@ may subscribe to the group to receive the packets. Like LOG, this is a
 non-terminating target, i.e. rule traversal continues at the next rule.
 .TP
 \fB\-\-nflog\-group\fP \fInlgroup\fP
-The netlink group (0 - 2^16\-1) to which packets are (only applicable for
+The netlink group (0\(en2^16\-1) to which packets are (only applicable for
 nfnetlink_log). The default value is 0.
 .TP
 \fB\-\-nflog\-prefix\fP \fIprefix\fP
diff --git a/extensions/libxt_dscp.man b/extensions/libxt_dscp.man
index 63a17dac..ff4523fd 100644
--- a/extensions/libxt_dscp.man
+++ b/extensions/libxt_dscp.man
@@ -2,7 +2,7 @@ This module matches the 6 bit DSCP field within the TOS field in the
 IP header.  DSCP has superseded TOS within the IETF.
 .TP
 [\fB!\fP] \fB\-\-dscp\fP \fIvalue\fP
-Match against a numeric (decimal or hex) value [0-63].
+Match against a numeric (decimal or hex) value in the range 0\(en63.
 .TP
 [\fB!\fP] \fB\-\-dscp\-class\fP \fIclass\fP
 Match the DiffServ class. This value may be any of the
diff --git a/extensions/libxt_u32.man b/extensions/libxt_u32.man
index 40a69f8e..183a63f7 100644
--- a/extensions/libxt_u32.man
+++ b/extensions/libxt_u32.man
@@ -69,13 +69,13 @@ Example:
 .IP
 match IP packets with total length >= 256
 .IP
-The IP header contains a total length field in bytes 2-3.
+The IP header contains a total length field in bytes 2\(en3.
 .IP
 \-\-u32 "\fB0 & 0xFFFF = 0x100:0xFFFF\fP"
 .IP
-read bytes 0-3
+read bytes 0\(en3
 .IP
-AND that with 0xFFFF (giving bytes 2-3), and test whether that is in the range
+AND that with 0xFFFF (giving bytes 2\(en3), and test whether that is in the range
 [0x100:0xFFFF]
 .PP
 Example: (more realistic, hence more complicated)
@@ -86,7 +86,7 @@ First test that it is an ICMP packet, true iff byte 9 (protocol) = 1
 .IP
 \-\-u32 "\fB6 & 0xFF = 1 &&\fP ...
 .IP
-read bytes 6-9, use \fB&\fP to throw away bytes 6-8 and compare the result to
+read bytes 6\(en9, use \fB&\fP to throw away bytes 6\(en8 and compare the result to
 1. Next test that it is not a fragment. (If so, it might be part of such a
 packet but we cannot always tell.) N.B.: This test is generally needed if you
 want to match anything beyond the IP header. The last 6 bits of byte 6 and all
@@ -101,11 +101,11 @@ stored in the right half of byte 0 of the IP header itself.
 .IP
  ... \fB0 >> 22 & 0x3C @ 0 >> 24 = 0\fP"
 .IP
-The first 0 means read bytes 0-3, \fB>>22\fP means shift that 22 bits to the
+The first 0 means read bytes 0\(en3, \fB>>22\fP means shift that 22 bits to the
 right. Shifting 24 bits would give the first byte, so only 22 bits is four
 times that plus a few more bits. \fB&3C\fP then eliminates the two extra bits
 on the right and the first four bits of the first byte. For instance, if IHL=5,
-then the IP header is 20 (4 x 5) bytes long. In this case, bytes 0-1 are (in
+then the IP header is 20 (4 x 5) bytes long. In this case, bytes 0\(en1 are (in
 binary) xxxx0101 yyzzzzzz, \fB>>22\fP gives the 10 bit value xxxx0101yy and
 \fB&3C\fP gives 010100. \fB@\fP means to use this number as a new offset into
 the packet, and read four bytes starting from there. This is the first 4 bytes
@@ -115,7 +115,7 @@ the result with 0.
 .PP
 Example:
 .IP
-TCP payload bytes 8-12 is any of 1, 2, 5 or 8
+TCP payload bytes 8\(en12 is any of 1, 2, 5 or 8
 .IP
 First we test that the packet is a tcp packet (similar to ICMP).
 .IP
@@ -130,5 +130,5 @@ makes this the new offset into the packet, which is the start of the TCP
 header. The length of the TCP header (again in 32 bit words) is the left half
 of byte 12 of the TCP header. The \fB12>>26&3C\fP computes this length in bytes
 (similar to the IP header before). "@" makes this the new offset, which is the
-start of the TCP payload. Finally, 8 reads bytes 8-12 of the payload and
+start of the TCP payload. Finally, 8 reads bytes 8\(en12 of the payload and
 \fB=\fP checks whether the result is any of 1, 2, 5 or 8.
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
index 0304b508..eaeb6d29 100644
--- a/iptables/ebtables-nft.8
+++ b/iptables/ebtables-nft.8
@@ -722,46 +722,46 @@ for that option is used, while if the upper bound is omitted (but the colon agai
 highest possible upper bound for that option is used.
 .TP
 .BR "--stp-type " "[!] \fItype\fP"
-The BPDU type (0-255), recognized non-numerical types are
+The BPDU type (0\(en255), recognized non-numerical types are
 .IR config ", denoting a configuration BPDU (=0), and"
 .IR tcn ", denothing a topology change notification BPDU (=128)."
 .TP
 .BR "--stp-flags " "[!] \fIflag\fP"
-The BPDU flag (0-255), recognized non-numerical flags are
+The BPDU flag (0\(en255), recognized non-numerical flags are
 .IR topology-change ", denoting the topology change flag (=1), and"
 .IR topology-change-ack ", denoting the topology change acknowledgement flag (=128)."
 .TP
 .BR "--stp-root-prio " "[!] [\fIprio\fP][:\fIprio\fP]"
-The root priority (0-65535) range.
+The root priority (0\(en65535) range.
 .TP
 .BR "--stp-root-addr " "[!] [\fIaddress\fP][/\fImask\fP]"
 The root mac address, see the option
 .BR -s " for more details."
 .TP
 .BR "--stp-root-cost " "[!] [\fIcost\fP][:\fIcost\fP]"
-The root path cost (0-4294967295) range.
+The root path cost (0\(en4294967295) range.
 .TP
 .BR "--stp-sender-prio " "[!] [\fIprio\fP][:\fIprio\fP]"
-The BPDU's sender priority (0-65535) range.
+The BPDU's sender priority (0\(en65535) range.
 .TP
 .BR "--stp-sender-addr " "[!] [\fIaddress\fP][/\fImask\fP]"
 The BPDU's sender mac address, see the option
 .BR -s " for more details."
 .TP
 .BR "--stp-port " "[!] [\fIport\fP][:\fIport\fP]"
-The port identifier (0-65535) range.
+The port identifier (0\(en65535) range.
 .TP
 .BR "--stp-msg-age " "[!] [\fIage\fP][:\fIage\fP]"
-The message age timer (0-65535) range.
+The message age timer (0\(en65535) range.
 .TP
 .BR "--stp-max-age " "[!] [\fIage\fP][:\fIage\fP]"
-The max age timer (0-65535) range.
+The max age timer (0\(en65535) range.
 .TP
 .BR "--stp-hello-time " "[!] [\fItime\fP][:\fItime\fP]"
-The hello time timer (0-65535) range.
+The hello time timer (0\(en65535) range.
 .TP
 .BR "--stp-forward-delay " "[!] [\fIdelay\fP][:\fIdelay\fP]"
-The forward delay timer (0-65535) range.
+The forward delay timer (0\(en65535) range.
 .\" .SS string
 .\" This module matches on a given string using some pattern matching strategy.
 .\" .TP
@@ -858,7 +858,7 @@ Log with the default logging options
 .TP
 .B --nflog-group "\fInlgroup\fP"
 .br
-The netlink group (1 - 2^32-1) to which packets are (only applicable for
+The netlink group (1\(en2^32-1) to which packets are (only applicable for
 nfnetlink_log). The default value is 1.
 .TP
 .B --nflog-prefix "\fIprefix\fP"
-- 
2.42.0

[PATCH 02/10] man: encode emdash the way groff/man requires it

[Jan Engelhardt]

Unlike LaTeX, two/three U+002D in the source do not translate to an
en and em-dash in man. Using \(en and \(em, respectively, addresses
this.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 extensions/libxt_hashlimit.man | 2 +-
 extensions/libxt_limit.man     | 2 +-
 extensions/libxt_rateest.man   | 2 +-
 extensions/libxt_time.man      | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/extensions/libxt_hashlimit.man b/extensions/libxt_hashlimit.man
index 8a35d564..79a37986 100644
--- a/extensions/libxt_hashlimit.man
+++ b/extensions/libxt_hashlimit.man
@@ -20,7 +20,7 @@ Maximum initial number of packets to match: this number gets recharged by one
 every time the limit specified above is not reached, up to this number; the
 default is 5.  When byte-based rate matching is requested, this option specifies
 the amount of bytes that can exceed the given rate.  This option should be used
-with caution -- if the entry expires, the burst value is reset too.
+with caution \(em if the entry expires, the burst value is reset too.
 .TP
 \fB\-\-hashlimit\-mode\fP {\fBsrcip\fP|\fBsrcport\fP|\fBdstip\fP|\fBdstport\fP}\fB,\fP...
 A comma-separated list of objects to take into consideration. If no
diff --git a/extensions/libxt_limit.man b/extensions/libxt_limit.man
index 6fb94ccf..b477dd94 100644
--- a/extensions/libxt_limit.man
+++ b/extensions/libxt_limit.man
@@ -4,7 +4,7 @@ It can be used in combination with the
 .B LOG
 target to give limited logging, for example.
 .PP
-xt_limit has no negation support - you will have to use \-m hashlimit !
+xt_limit has no negation support \(em you will have to use \-m hashlimit !
 \-\-hashlimit \fIrate\fP in this case whilst omitting \-\-hashlimit\-mode.
 .TP
 \fB\-\-limit\fP \fIrate\fP[\fB/second\fP|\fB/minute\fP|\fB/hour\fP|\fB/day\fP]
diff --git a/extensions/libxt_rateest.man b/extensions/libxt_rateest.man
index 42a82f32..1989ff6c 100644
--- a/extensions/libxt_rateest.man
+++ b/extensions/libxt_rateest.man
@@ -68,7 +68,7 @@ The names of the two rate estimators for relative mode.
 \fB\-\-rateest\-pps2\fP [\fIvalue\fP]
 Compare the estimator(s) by bytes or packets per second, and compare against
 the chosen value. See the above bullet list for which option is to be used in
-which case. A unit suffix may be used - available ones are: bit, [kmgt]bit,
+which case. A unit suffix may be used \(em available ones are: bit, [kmgt]bit,
 [KMGT]ibit, Bps, [KMGT]Bps, [KMGT]iBps.
 .PP
 Example: This is what can be used to route outgoing data connections from an
diff --git a/extensions/libxt_time.man b/extensions/libxt_time.man
index 4c0cae06..5b749a48 100644
--- a/extensions/libxt_time.man
+++ b/extensions/libxt_time.man
@@ -58,7 +58,7 @@ rest of the system uses).
 The caveat with the kernel timezone is that Linux distributions may ignore to
 set the kernel timezone, and instead only set the system time. Even if a
 particular distribution does set the timezone at boot, it is usually does not
-keep the kernel timezone offset - which is what changes on DST - up to date.
+keep the kernel timezone offset \(em which is what changes on DST \(em up to date.
 ntpd will not touch the kernel timezone, so running it will not resolve the
 issue. As such, one may encounter a timezone that is always +0000, or one that
 is wrong half of the time of the year. As such, \fBusing \-\-kerneltz is highly
-- 
2.42.0

[PATCH 03/10] man: encode math minuses the way groff/man requires it

[Jan Engelhardt]

The groff_char(7) manpage tells me that the magic incantation for
a mathematical minus is \[-].

On terminals, math minuses are oddly rendered with U+002D rather than
U+2212, but that's another topic for another day for another
software. In PostScript output (man -t), everything looks right.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 extensions/libxt_NFLOG.man     | 2 +-
 extensions/libxt_cpu.man       | 2 +-
 extensions/libxt_rateest.man   | 2 +-
 extensions/libxt_statistic.man | 2 +-
 iptables/ebtables-nft.8        | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/extensions/libxt_NFLOG.man b/extensions/libxt_NFLOG.man
index 093704a1..9d1b4271 100644
--- a/extensions/libxt_NFLOG.man
+++ b/extensions/libxt_NFLOG.man
@@ -9,7 +9,7 @@ may subscribe to the group to receive the packets. Like LOG, this is a
 non-terminating target, i.e. rule traversal continues at the next rule.
 .TP
 \fB\-\-nflog\-group\fP \fInlgroup\fP
-The netlink group (0\(en2^16\-1) to which packets are (only applicable for
+The netlink group (0\(en2^16\[-]1) to which packets are (only applicable for
 nfnetlink_log). The default value is 0.
 .TP
 \fB\-\-nflog\-prefix\fP \fIprefix\fP
diff --git a/extensions/libxt_cpu.man b/extensions/libxt_cpu.man
index c89ef08a..7fcc8189 100644
--- a/extensions/libxt_cpu.man
+++ b/extensions/libxt_cpu.man
@@ -1,6 +1,6 @@
 .TP
 [\fB!\fP] \fB\-\-cpu\fP \fInumber\fP
-Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS-1
+Match cpu handling this packet. cpus are numbered from 0 to NR_CPUS\[-]1
 Can be used in combination with RPS (Remote Packet Steering) or
 multiqueue NICs to spread network traffic on different queues.
 .PP
diff --git a/extensions/libxt_rateest.man b/extensions/libxt_rateest.man
index 1989ff6c..d6ba3675 100644
--- a/extensions/libxt_rateest.man
+++ b/extensions/libxt_rateest.man
@@ -31,7 +31,7 @@ combinations:
 For each estimator (either absolute or relative mode), calculate the difference
 between the estimator-determined flow rate and the static value chosen with the
 BPS/PPS options. If the flow rate is higher than the specified BPS/PPS, 0 will
-be used instead of a negative value. In other words, "max(0, rateest#_rate -
+be used instead of a negative value. In other words, "max(0, rateest#_rate \[-]
 rateest#_bps)" is used.
 .TP
 [\fB!\fP] \fB\-\-rateest\-lt\fP
diff --git a/extensions/libxt_statistic.man b/extensions/libxt_statistic.man
index 47182bfb..e9ffa4b9 100644
--- a/extensions/libxt_statistic.man
+++ b/extensions/libxt_statistic.man
@@ -24,6 +24,6 @@ mode (see also the
 option).
 .TP
 \fB\-\-packet\fP \fIp\fP
-Set the initial counter value (0 <= p <= n\-1, default 0) for the
+Set the initial counter value (0 <= p <= n\[-]1, default 0) for the
 .B nth 
 mode.
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
index eaeb6d29..f8523f41 100644
--- a/iptables/ebtables-nft.8
+++ b/iptables/ebtables-nft.8
@@ -858,7 +858,7 @@ Log with the default logging options
 .TP
 .B --nflog-group "\fInlgroup\fP"
 .br
-The netlink group (1\(en2^32-1) to which packets are (only applicable for
+The netlink group (1\(en2^32\[-]1) to which packets are (only applicable for
 nfnetlink_log). The default value is 1.
 .TP
 .B --nflog-prefix "\fIprefix\fP"
-- 
2.42.0

[PATCH 04/10] man: encode hyphens the way groff/man requires it

[Jan Engelhardt]

Edit a few spots where indeed a hyphens (U+2010) rather than U+002D is desired.
("set-name" is not something you input, it is a placeholder in the context of
documentation. "out-of-flow" is part of the regular flowed text, so should not
use anything but hyphens.)

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 extensions/libxt_SET.man      | 2 +-
 extensions/libxt_SYNPROXY.man | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libxt_SET.man b/extensions/libxt_SET.man
index c4713378..28a0bbe5 100644
--- a/extensions/libxt_SET.man
+++ b/extensions/libxt_SET.man
@@ -25,7 +25,7 @@ one from the set definition
 when adding an entry if it already exists, reset the timeout value
 to the specified one or to the default from the set definition
 .TP
-\fB\-\-map\-set\fP \fIset\-name\fP
+\fB\-\-map\-set\fP \fIset-name\fP
 the set-name should be created with --skbinfo option
 \fB\-\-map\-mark\fP
 map firewall mark to packet by lookup of value in the set
diff --git a/extensions/libxt_SYNPROXY.man b/extensions/libxt_SYNPROXY.man
index 30a71ed2..8b232e85 100644
--- a/extensions/libxt_SYNPROXY.man
+++ b/extensions/libxt_SYNPROXY.man
@@ -40,7 +40,7 @@ telnet 192.0.2.42 80
 .br
     length 0
 .PP
-Switch tcp_loose mode off, so conntrack will mark out\-of\-flow
+Switch tcp_loose mode off, so conntrack will mark out-of-flow
 packets as state INVALID.
 .IP
 echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
-- 
2.42.0

[PATCH 05/10] man: encode minushyphen the way groff/man requires it

[Jan Engelhardt]

Sparked by a recent LWN article[1], sweeps over the iptables manpages
for incorrectly encoded dashes was made by Phil Sutter and myself.

If the output is supposed to be a U+002D character (which is the case
for command-line options, everything that is a copy-paste or is going
to be copy-pasted), \- must be used.

[1] https://lwn.net/Articles/947941/ (paywalled until about 2023-11-06)

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 extensions/libip6t_DNPT.man     |  2 +-
 extensions/libip6t_REJECT.man   |  7 ++++---
 extensions/libip6t_SNPT.man     |  2 +-
 extensions/libipt_REJECT.man    |  7 ++++---
 extensions/libxt_CT.man         |  4 ++--
 extensions/libxt_HMARK.man      |  2 +-
 extensions/libxt_LED.man        |  4 ++--
 extensions/libxt_MASQUERADE.man |  4 ++--
 extensions/libxt_NFLOG.man      |  2 +-
 extensions/libxt_NFQUEUE.man    | 11 ++++++-----
 extensions/libxt_SET.man        |  2 +-
 extensions/libxt_SNAT.man       |  2 +-
 extensions/libxt_SYNPROXY.man   |  2 +-
 extensions/libxt_TRACE.man      |  4 ++--
 extensions/libxt_bpf.man        |  8 ++++----
 extensions/libxt_cgroup.man     |  2 +-
 extensions/libxt_cluster.man    |  8 ++++----
 extensions/libxt_connlabel.man  | 10 +++++-----
 extensions/libxt_connlimit.man  |  2 +-
 extensions/libxt_hashlimit.man  |  4 ++--
 extensions/libxt_nfacct.man     |  2 +-
 extensions/libxt_osf.man        |  6 +++---
 extensions/libxt_owner.man      |  2 +-
 extensions/libxt_socket.man     |  2 +-
 24 files changed, 52 insertions(+), 49 deletions(-)

diff --git a/extensions/libip6t_DNPT.man b/extensions/libip6t_DNPT.man
index 9b060f5b..a9c06700 100644
--- a/extensions/libip6t_DNPT.man
+++ b/extensions/libip6t_DNPT.man
@@ -19,7 +19,7 @@ ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
 \-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
 .IP
 ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64
-\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst-pfx fd00::/64
+\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst\-pfx fd00::/64
 .PP
 You may need to enable IPv6 neighbor proxy:
 .IP
diff --git a/extensions/libip6t_REJECT.man b/extensions/libip6t_REJECT.man
index 3c42768e..e68d6f03 100644
--- a/extensions/libip6t_REJECT.man
+++ b/extensions/libip6t_REJECT.man
@@ -44,9 +44,10 @@ response for a packet so classed would then terminate the healthy connection.
 .PP
 So, instead of:
 .PP
--A INPUT ... -j REJECT
+\-A INPUT ... \-j REJECT
 .PP
 do consider using:
 .PP
--A INPUT ... -m conntrack --ctstate INVALID -j DROP
--A INPUT ... -j REJECT
+\-A INPUT ... \-m conntrack \-\-ctstate INVALID \-j DROP
+.br
+\-A INPUT ... \-j REJECT
diff --git a/extensions/libip6t_SNPT.man b/extensions/libip6t_SNPT.man
index 97e0071b..1185d9c0 100644
--- a/extensions/libip6t_SNPT.man
+++ b/extensions/libip6t_SNPT.man
@@ -19,7 +19,7 @@ ip6tables \-t mangle \-I POSTROUTING \-s fd00::/64 \! \-o vboxnet0
 \-j SNPT \-\-src-pfx fd00::/64 \-\-dst-pfx 2001:e20:2000:40f::/64
 .IP
 ip6tables \-t mangle \-I PREROUTING \-i wlan0 \-d 2001:e20:2000:40f::/64
-\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst-pfx fd00::/64
+\-j DNPT \-\-src-pfx 2001:e20:2000:40f::/64 \-\-dst\-pfx fd00::/64
 .PP
 You may need to enable IPv6 neighbor proxy:
 .IP
diff --git a/extensions/libipt_REJECT.man b/extensions/libipt_REJECT.man
index cc47aead..a7196cdc 100644
--- a/extensions/libipt_REJECT.man
+++ b/extensions/libipt_REJECT.man
@@ -44,9 +44,10 @@ response for a packet so classed would then terminate the healthy connection.
 .PP
 So, instead of:
 .PP
--A INPUT ... -j REJECT
+\-A INPUT ... \-j REJECT
 .PP
 do consider using:
 .PP
--A INPUT ... -m conntrack --ctstate INVALID -j DROP
--A INPUT ... -j REJECT
+\-A INPUT ... \-m conntrack \-\-ctstate INVALID \-j DROP
+.br
+\-A INPUT ... \-j REJECT
diff --git a/extensions/libxt_CT.man b/extensions/libxt_CT.man
index fc692f9a..7523ead4 100644
--- a/extensions/libxt_CT.man
+++ b/extensions/libxt_CT.man
@@ -20,12 +20,12 @@ the ctmark, not nfmark), \fBnatseqinfo\fP, \fBsecmark\fP (ctsecmark).
 Only generate the specified expectation events for this connection.
 Possible event types are: \fBnew\fP.
 .TP
-\fB\-\-zone-orig\fP {\fIid\fP|\fBmark\fP}
+\fB\-\-zone\-orig\fP {\fIid\fP|\fBmark\fP}
 For traffic coming from ORIGINAL direction, assign this packet to zone
 \fIid\fP and only have lookups done in that zone. If \fBmark\fP is used
 instead of \fIid\fP, the zone is derived from the packet nfmark.
 .TP
-\fB\-\-zone-reply\fP {\fIid\fP|\fBmark\fP}
+\fB\-\-zone\-reply\fP {\fIid\fP|\fBmark\fP}
 For traffic coming from REPLY direction, assign this packet to zone
 \fIid\fP and only have lookups done in that zone. If \fBmark\fP is used
 instead of \fIid\fP, the zone is derived from the packet nfmark.
diff --git a/extensions/libxt_HMARK.man b/extensions/libxt_HMARK.man
index cd7ffd54..63d18cb5 100644
--- a/extensions/libxt_HMARK.man
+++ b/extensions/libxt_HMARK.man
@@ -53,7 +53,7 @@ A 32 bit random custom value to feed hash calculation.
 \fIExamples:\fP
 .PP
 iptables \-t mangle \-A PREROUTING \-m conntrack \-\-ctstate NEW
- \-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark-offset 10000
+ \-j HMARK \-\-hmark-tuple ct,src,dst,proto \-\-hmark\-offset 10000
 \-\-hmark\-mod 10 \-\-hmark\-rnd 0xfeedcafe
 .PP
 iptables \-t mangle \-A PREROUTING \-j HMARK \-\-hmark\-offset 10000
diff --git a/extensions/libxt_LED.man b/extensions/libxt_LED.man
index 81c2f296..d92fd940 100644
--- a/extensions/libxt_LED.man
+++ b/extensions/libxt_LED.man
@@ -6,9 +6,9 @@ the trigger behavior:
 .TP
 \fB\-\-led\-trigger\-id\fP \fIname\fP
 This is the name given to the LED trigger. The actual name of the trigger
-will be prefixed with "netfilter-".
+will be prefixed with "netfilter\-".
 .TP
-\fB\-\-led-delay\fP \fIms\fP
+\fB\-\-led\-delay\fP \fIms\fP
 This indicates how long (in milliseconds) the LED should be left illuminated
 when a packet arrives before being switched off again. The default is 0
 (blink as fast as possible.) The special value \fIinf\fP can be given to
diff --git a/extensions/libxt_MASQUERADE.man b/extensions/libxt_MASQUERADE.man
index 26d91ddb..e2009086 100644
--- a/extensions/libxt_MASQUERADE.man
+++ b/extensions/libxt_MASQUERADE.man
@@ -21,9 +21,9 @@ if the rule also specifies one of the following protocols:
 .TP
 \fB\-\-random\fP
 Randomize source port mapping (kernel >= 2.6.21).
-Since kernel 5.0, \fB\-\-random\fP is identical to \fB\-\-random-fully\fP.
+Since kernel 5.0, \fB\-\-random\fP is identical to \fB\-\-random\-fully\fP.
 .TP
-\fB\-\-random-fully\fP
+\fB\-\-random\-fully\fP
 Fully randomize source port mapping (kernel >= 3.13).
 .TP
 IPv6 support available since Linux kernels >= 3.7.
diff --git a/extensions/libxt_NFLOG.man b/extensions/libxt_NFLOG.man
index 9d1b4271..959522c2 100644
--- a/extensions/libxt_NFLOG.man
+++ b/extensions/libxt_NFLOG.man
@@ -17,7 +17,7 @@ A prefix string to include in the log message, up to 64 characters
 long, useful for distinguishing messages in the logs.
 .TP
 \fB\-\-nflog\-range\fP \fIsize\fP
-This option has never worked, use --nflog-size instead
+This option has never worked, use \-\-nflog\-size instead
 .TP
 \fB\-\-nflog\-size\fP \fIsize\fP
 The number of bytes to be copied to userspace (only applicable for
diff --git a/extensions/libxt_NFQUEUE.man b/extensions/libxt_NFQUEUE.man
index 950b0d24..cb963bec 100644
--- a/extensions/libxt_NFQUEUE.man
+++ b/extensions/libxt_NFQUEUE.man
@@ -6,8 +6,9 @@ reinject the packet into the kernel.  Please see libnetfilter_queue
 for details.
 .B
 nfnetlink_queue
-was added in Linux 2.6.14. The \fBqueue-balance\fP option was added in Linux 2.6.31,
-\fBqueue-bypass\fP in 2.6.39.
+was added in Linux 2.6.14. The \fBqueue\-balance\fP option was added in Linux
+2.6.31,
+\fBqueue\-bypass\fP in 2.6.39.
 .TP
 \fB\-\-queue\-num\fP \fIvalue\fP
 This specifies the QUEUE number to use. Valid queue numbers are 0 to 65535. The default value is 0.
@@ -28,8 +29,8 @@ are dropped.  When this option is used, the NFQUEUE rule behaves like ACCEPT ins
 will move on to the next table.
 .PP
 .TP
-\fB\-\-queue\-cpu-fanout\fP
+\fB\-\-queue\-cpu\-fanout\fP
 Available starting Linux kernel 3.10. When used together with
-\fB--queue-balance\fP this will use the CPU ID as an index to map packets to
+\fB\-\-queue\-balance\fP this will use the CPU ID as an index to map packets to
 the queues. The idea is that you can improve performance if there's a queue
-per CPU. This requires \fB--queue-balance\fP to be specified.
+per CPU. This requires \fB\-\-queue\-balance\fP to be specified.
diff --git a/extensions/libxt_SET.man b/extensions/libxt_SET.man
index 28a0bbe5..7332acb0 100644
--- a/extensions/libxt_SET.man
+++ b/extensions/libxt_SET.man
@@ -26,7 +26,7 @@ when adding an entry if it already exists, reset the timeout value
 to the specified one or to the default from the set definition
 .TP
 \fB\-\-map\-set\fP \fIset-name\fP
-the set-name should be created with --skbinfo option
+the set-name should be created with \-\-skbinfo option
 \fB\-\-map\-mark\fP
 map firewall mark to packet by lookup of value in the set
 \fB\-\-map\-prio\fP
diff --git a/extensions/libxt_SNAT.man b/extensions/libxt_SNAT.man
index 80a698a6..d879c871 100644
--- a/extensions/libxt_SNAT.man
+++ b/extensions/libxt_SNAT.man
@@ -23,7 +23,7 @@ will be mapped to ports below 1024, and other ports will be mapped to
 \fB\-\-random\fP
 Randomize source port mapping through a hash-based algorithm (kernel >= 2.6.21).
 .TP
-\fB\-\-random-fully\fP
+\fB\-\-random\-fully\fP
 Fully randomize source port mapping through a PRNG (kernel >= 3.14).
 .TP
 \fB\-\-persistent\fP
diff --git a/extensions/libxt_SYNPROXY.man b/extensions/libxt_SYNPROXY.man
index 8b232e85..04fffedb 100644
--- a/extensions/libxt_SYNPROXY.man
+++ b/extensions/libxt_SYNPROXY.man
@@ -22,7 +22,7 @@ Example:
 .PP
 Determine tcp options used by backend, from an external system
 .IP
-tcpdump -pni eth0 -c 1 'tcp[tcpflags] == (tcp-syn|tcp-ack)'
+tcpdump \-pni eth0 \-c 1 'tcp[tcpflags] == (tcp\-syn|tcp\-ack)'
 .br
     port 80 &
 .br
diff --git a/extensions/libxt_TRACE.man b/extensions/libxt_TRACE.man
index 5187a8d2..9cfa2711 100644
--- a/extensions/libxt_TRACE.man
+++ b/extensions/libxt_TRACE.man
@@ -15,6 +15,6 @@ With iptables-nft, the target is translated into nftables'
 .B "meta nftrace"
 expression. Hence the kernel sends trace events via netlink to userspace where
 they may be displayed using
-.B "xtables-monitor --trace"
+.B "xtables\-monitor \-\-trace"
 command. For details, refer to
-.BR xtables-monitor (8).
+.BR xtables\-monitor (8).
diff --git a/extensions/libxt_bpf.man b/extensions/libxt_bpf.man
index d6da2043..b79c21db 100644
--- a/extensions/libxt_bpf.man
+++ b/extensions/libxt_bpf.man
@@ -28,7 +28,7 @@ without the comments or trailing whitespace:
 .IP
 4               # number of instructions
 .br
-48 0 0 9        # load byte  ip->proto
+48 0 0 9        # load byte  ip\->proto
 .br
 21 0 1 6        # jump equal IPPROTO_TCP
 .br
@@ -44,7 +44,7 @@ Or instead, you can invoke the nfbpf_compile utility.
 .IP
 iptables \-A OUTPUT \-m bpf \-\-bytecode "`nfbpf_compile RAW 'ip proto 6'`" \-j ACCEPT
 .PP
-Or use tcpdump -ddd. In that case, generate BPF targeting a device with the
+Or use tcpdump \-ddd. In that case, generate BPF targeting a device with the
 same data link type as the xtables match. Iptables passes packets from the
 network layer up, without mac layer. Select a device with data link type RAW,
 such as a tun device:
@@ -53,8 +53,8 @@ ip tuntap add tun0 mode tun
 .br
 ip link set tun0 up
 .br
-tcpdump -ddd -i tun0 ip proto 6
+tcpdump \-ddd \-i tun0 ip proto 6
 .PP
-See tcpdump -L -i $dev for a list of known data link types for a given device.
+See tcpdump \-L \-i $dev for a list of known data link types for a given device.
 .PP
 You may want to learn more about BPF from FreeBSD's bpf(4) manpage.
diff --git a/extensions/libxt_cgroup.man b/extensions/libxt_cgroup.man
index 4d5d1d86..140afb48 100644
--- a/extensions/libxt_cgroup.man
+++ b/extensions/libxt_cgroup.man
@@ -15,7 +15,7 @@ option and \-\-path can't be used together.
 .PP
 Example:
 .IP
-iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-path service/http-server \-j DROP
+iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-path service/http\-server \-j DROP
 .IP
 iptables \-A OUTPUT \-p tcp \-\-sport 80 \-m cgroup ! \-\-cgroup 1
 \-j DROP
diff --git a/extensions/libxt_cluster.man b/extensions/libxt_cluster.man
index 23448e26..63054471 100644
--- a/extensions/libxt_cluster.man
+++ b/extensions/libxt_cluster.man
@@ -22,7 +22,7 @@ Example:
 iptables \-A PREROUTING \-t mangle \-i eth1 \-m cluster
 \-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
 \-\-cluster\-hash\-seed 0xdeadbeef
-\-j MARK \-\-set-mark 0xffff
+\-j MARK \-\-set\-mark 0xffff
 .IP
 iptables \-A PREROUTING \-t mangle \-i eth2 \-m cluster
 \-\-cluster\-total\-nodes 2 \-\-cluster\-local\-node 1
@@ -42,10 +42,10 @@ ip maddr add 01:00:5e:00:01:01 dev eth1
 ip maddr add 01:00:5e:00:01:02 dev eth2
 .IP
 arptables \-A OUTPUT \-o eth1 \-\-h\-length 6
-\-j mangle \-\-mangle-mac-s 01:00:5e:00:01:01
+\-j mangle \-\-mangle\-mac\-s 01:00:5e:00:01:01
 .IP
-arptables \-A INPUT \-i eth1 \-\-h-length 6
-\-\-destination-mac 01:00:5e:00:01:01
+arptables \-A INPUT \-i eth1 \-\-h\-length 6
+\-\-destination\-mac 01:00:5e:00:01:01
 \-j mangle \-\-mangle\-mac\-d 00:zz:yy:xx:5a:27
 .IP
 arptables \-A OUTPUT \-o eth2 \-\-h\-length 6
diff --git a/extensions/libxt_connlabel.man b/extensions/libxt_connlabel.man
index bdaa51e8..7ce18cf5 100644
--- a/extensions/libxt_connlabel.man
+++ b/extensions/libxt_connlabel.man
@@ -23,11 +23,11 @@ Label translation is done via the \fB/etc/xtables/connlabel.conf\fP configuratio
 Example:
 .IP
 .nf
-0	eth0-in
-1	eth0-out
-2	ppp-in
-3	ppp-out
-4	bulk-traffic
+0	eth0\-in
+1	eth0\-out
+2	ppp\-in
+3	ppp\-out
+4	bulk\-traffic
 5	interactive
 .fi
 .PP
diff --git a/extensions/libxt_connlimit.man b/extensions/libxt_connlimit.man
index ad9f40fa..2292e9cc 100644
--- a/extensions/libxt_connlimit.man
+++ b/extensions/libxt_connlimit.man
@@ -39,4 +39,4 @@ ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit
 .TP
 # Limit the number of connections to a particular host:
 ip6tables \-p tcp \-\-syn \-\-dport 49152:65535 \-d 2001:db8::1 \-m connlimit
-\-\-connlimit-above 100 \-j REJECT
+\-\-connlimit\-above 100 \-j REJECT
diff --git a/extensions/libxt_hashlimit.man b/extensions/libxt_hashlimit.man
index 79a37986..b95a52d2 100644
--- a/extensions/libxt_hashlimit.man
+++ b/extensions/libxt_hashlimit.man
@@ -77,8 +77,8 @@ in 10.0.0.0/8" =>
 .TP
 matching bytes per second
 "flows exceeding 512kbyte/s" =>
-\-\-hashlimit-mode srcip,dstip,srcport,dstport \-\-hashlimit\-above 512kb/s
+\-\-hashlimit\-mode srcip,dstip,srcport,dstport \-\-hashlimit\-above 512kb/s
 .TP
 matching bytes per second
 "hosts that exceed 512kbyte/s, but permit up to 1Megabytes without matching"
-\-\-hashlimit-mode dstip \-\-hashlimit\-above 512kb/s \-\-hashlimit-burst 1mb
+\-\-hashlimit\-mode dstip \-\-hashlimit\-above 512kb/s \-\-hashlimit\-burst 1mb
diff --git a/extensions/libxt_nfacct.man b/extensions/libxt_nfacct.man
index a818fedd..4e05891e 100644
--- a/extensions/libxt_nfacct.man
+++ b/extensions/libxt_nfacct.man
@@ -22,7 +22,7 @@ Then, you can check for the amount of traffic that the rules match:
 .IP
 nfacct get http\-traffic
 .IP
-{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = http-traffic;
+{ pkts = 00000000000000000156, bytes = 00000000000000151786 } = http\-traffic;
 .PP
 You can obtain
 .B nfacct(8)
diff --git a/extensions/libxt_osf.man b/extensions/libxt_osf.man
index 41103f29..8bd35554 100644
--- a/extensions/libxt_osf.man
+++ b/extensions/libxt_osf.man
@@ -29,8 +29,8 @@ Log determined genres into dmesg even if they do not match the desired one.
 .PP
 You may find something like this in syslog:
 .PP
-Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 ->
-11.22.33.44:139 hops=3 Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4
+Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 \->
+11.22.33.44:139 hops=3 Linux [2.5\-2.6:] : 1.2.3.4:42624 \-> 1.2.3.5:22 hops=4
 .PP
 OS fingerprints are loadable using the \fBnfnl_osf\fP program. To load
 fingerprints from a file, use:
@@ -42,4 +42,4 @@ To remove them again,
 \fBnfnl_osf \-f /usr/share/xtables/pf.os \-d\fP
 .PP
 The fingerprint database can be downloaded from
-http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os .
+http://www.openbsd.org/cgi\-bin/cvsweb/src/etc/pf.os .
diff --git a/extensions/libxt_owner.man b/extensions/libxt_owner.man
index e2479865..fd6fe190 100644
--- a/extensions/libxt_owner.man
+++ b/extensions/libxt_owner.man
@@ -16,7 +16,7 @@ Matches if the packet socket's file structure is owned by the given group.
 You may also specify a numerical GID, or a GID range.
 .TP
 \fB\-\-suppl\-groups\fP
-Causes group(s) specified with \fB\-\-gid-owner\fP to be also checked in the
+Causes group(s) specified with \fB\-\-gid\-owner\fP to be also checked in the
 supplementary groups of a process.
 .TP
 [\fB!\fP] \fB\-\-socket\-exists\fP
diff --git a/extensions/libxt_socket.man b/extensions/libxt_socket.man
index f809df69..a268b443 100644
--- a/extensions/libxt_socket.man
+++ b/extensions/libxt_socket.man
@@ -29,7 +29,7 @@ to be matched when restoring the packet mark.
 Example: An application opens 2 transparent (\fBIP_TRANSPARENT\fP) sockets and
 sets a mark on them with \fBSO_MARK\fP socket option. We can filter matching packets:
 .IP
-\-t mangle \-I PREROUTING \-m socket \-\-transparent \-\-restore-skmark \-j action
+\-t mangle \-I PREROUTING \-m socket \-\-transparent \-\-restore\-skmark \-j action
 .IP
 \-t mangle \-A action \-m mark \-\-mark 10 \-j action2
 .IP
-- 
2.42.0

[PATCH 06/10] man: consistent casing of "IPv[46]"

[Jan Engelhardt]

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 extensions/libipt_ULOG.man     | 2 +-
 extensions/libxt_connlimit.man | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/extensions/libipt_ULOG.man b/extensions/libipt_ULOG.man
index c828b45e..eb37d4fb 100644
--- a/extensions/libipt_ULOG.man
+++ b/extensions/libipt_ULOG.man
@@ -1,4 +1,4 @@
-This is the deprecated ipv4-only predecessor of the NFLOG target.
+This is the deprecated IPv4-only predecessor of the NFLOG target.
 It provides userspace logging of matching packets.  When this
 target is set for a rule, the Linux kernel will multicast this packet
 through a
diff --git a/extensions/libxt_connlimit.man b/extensions/libxt_connlimit.man
index 2292e9cc..980bf6c5 100644
--- a/extensions/libxt_connlimit.man
+++ b/extensions/libxt_connlimit.man
@@ -33,7 +33,7 @@ iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit\-above 16
 \-\-connlimit\-mask 24 \-j REJECT
 .TP
 # limit the number of parallel HTTP requests to 16 for the link local network
-(ipv6)
+(IPv6)
 ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit\-above
 16 \-\-connlimit\-mask 64 \-j REJECT
 .TP
-- 
2.42.0

[PATCH 07/10] man: grammar fixes to some manpages

[Jan Engelhardt]

English generally uses open compounds rather than closed ones;
fix the excess hyphens in words. Fix a missing dash for the
portnr option as well.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 extensions/libxt_MASQUERADE.man |  2 +-
 extensions/libxt_helper.man     | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/extensions/libxt_MASQUERADE.man b/extensions/libxt_MASQUERADE.man
index e2009086..7cc2bb7a 100644
--- a/extensions/libxt_MASQUERADE.man
+++ b/extensions/libxt_MASQUERADE.man
@@ -15,7 +15,7 @@ any established connections are lost anyway).
 \fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
 This specifies a range of source ports to use, overriding the default
 .B SNAT
-source port-selection heuristics (see above).  This is only valid
+source port-selection heuristics (see above). This is only valid
 if the rule also specifies one of the following protocols:
 \fBtcp\fP, \fBudp\fP, \fBdccp\fP or \fBsctp\fP.
 .TP
diff --git a/extensions/libxt_helper.man b/extensions/libxt_helper.man
index 772b1350..fb8a206c 100644
--- a/extensions/libxt_helper.man
+++ b/extensions/libxt_helper.man
@@ -1,11 +1,11 @@
-This module matches packets related to a specific conntrack-helper.
+This module matches packets related to a specific conntrack helper.
 .TP
 [\fB!\fP] \fB\-\-helper\fP \fIstring\fP
-Matches packets related to the specified conntrack-helper.
+Matches packets related to the specified conntrack helper.
 .RS
 .PP
-string can be "ftp" for packets related to a ftp-session on default port.
-For other ports append \-portnr to the value, ie. "ftp\-2121".
+string can be "ftp" for packets related to an FTP session on default port.
+For other ports, append \-\-portnr to the value, ie. "ftp\-2121".
 .PP
-Same rules apply for other conntrack-helpers.
+Same rules apply for other conntrack helpers.
 .RE
-- 
2.42.0

[PATCH 08/10] man: use native bullet point markup

[Jan Engelhardt]

Replace some "fake" bullet point by the official syntax/markup
for bulleted lists.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 extensions/libxt_connlimit.man | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/extensions/libxt_connlimit.man b/extensions/libxt_connlimit.man
index 980bf6c5..aa7df2b2 100644
--- a/extensions/libxt_connlimit.man
+++ b/extensions/libxt_connlimit.man
@@ -20,23 +20,28 @@ Apply the limit onto the source group. This is the default if
 Apply the limit onto the destination group.
 .PP
 Examples:
-.TP
-# allow 2 telnet connections per client host
+.IP \(bu 4
+allow 2 telnet connections per client host:
+.br
 iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-above 2 \-j REJECT
-.TP
-# you can also match the other way around:
+.IP \(bu 4
+you can also match the other way around:
+.br
 iptables \-A INPUT \-p tcp \-\-syn \-\-dport 23 \-m connlimit \-\-connlimit\-upto 2 \-j ACCEPT
-.TP
-# limit the number of parallel HTTP requests to 16 per class C sized \
-source network (24 bit netmask)
+.IP \(bu 4
+limit the number of parallel HTTP requests to 16 per class C sized \
+source network (24 bit netmask):
+.br
 iptables \-p tcp \-\-syn \-\-dport 80 \-m connlimit \-\-connlimit\-above 16
 \-\-connlimit\-mask 24 \-j REJECT
-.TP
-# limit the number of parallel HTTP requests to 16 for the link local network
-(IPv6)
+.IP \(bu 4
+limit the number of parallel HTTP requests to 16 for the link local network
+(IPv6):
+.br
 ip6tables \-p tcp \-\-syn \-\-dport 80 \-s fe80::/64 \-m connlimit \-\-connlimit\-above
 16 \-\-connlimit\-mask 64 \-j REJECT
-.TP
-# Limit the number of connections to a particular host:
+.IP \(bu 4
+Limit the number of connections to a particular host:
+.br
 ip6tables \-p tcp \-\-syn \-\-dport 49152:65535 \-d 2001:db8::1 \-m connlimit
 \-\-connlimit\-above 100 \-j REJECT
-- 
2.42.0

[PATCH 09/10] man: use .TP for lists in xt_osf man page

[Jan Engelhardt]

From: Phil Sutter <phil@nwl.cc>

Value and description are more clearly set apart. Using .RS/.RE
pairs also adds proper indenting.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 extensions/libxt_osf.man | 34 ++++++++++++++++++++++------------
 1 file changed, 22 insertions(+), 12 deletions(-)

diff --git a/extensions/libxt_osf.man b/extensions/libxt_osf.man
index 8bd35554..85c1a3b4 100644
--- a/extensions/libxt_osf.man
+++ b/extensions/libxt_osf.man
@@ -8,24 +8,34 @@ Match an operating system genre by using a passive fingerprinting.
 \fB\-\-ttl\fP \fIlevel\fP
 Do additional TTL checks on the packet to determine the operating system.
 \fIlevel\fP can be one of the following values:
-.IP \(bu 4
-0 - True IP address and fingerprint TTL comparison. This generally works for
+.RS
+.TP
+\fB0\fP
+True IP address and fingerprint TTL comparison. This generally works for
 LANs.
-.IP \(bu 4
-1 - Check if the IP header's TTL is less than the fingerprint one. Works for
+.TP
+\fB1\fP
+Check if the IP header's TTL is less than the fingerprint one. Works for
 globally-routable addresses.
-.IP \(bu 4
-2 - Do not compare the TTL at all.
+.TP
+\fB2\fP
+Do not compare the TTL at all.
+.RE
 .TP
 \fB\-\-log\fP \fIlevel\fP
 Log determined genres into dmesg even if they do not match the desired one.
 \fIlevel\fP can be one of the following values:
-.IP \(bu 4
-0 - Log all matched or unknown signatures
-.IP \(bu 4
-1 - Log only the first one
-.IP \(bu 4
-2 - Log all known matched signatures
+.RS
+.TP
+\fB0\fP
+Log all matched or unknown signatures
+.TP
+\fB1\fP
+Log only the first one
+.TP
+\fB2\fP
+Log all known matched signatures
+.RE
 .PP
 You may find something like this in syslog:
 .PP
-- 
2.42.0

[PATCH 10/10] man: reveal rateest's combination categories

[Jan Engelhardt]

From: Phil Sutter <phil@nwl.cc>

The .\" prefix made these paragraphs invisible in at least regular
man page output. Turn them into tags instead.

Signed-off-by: Jan Engelhardt <jengelh@inai.de>
---
 extensions/libxt_rateest.man | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/extensions/libxt_rateest.man b/extensions/libxt_rateest.man
index d6ba3675..22301e7f 100644
--- a/extensions/libxt_rateest.man
+++ b/extensions/libxt_rateest.man
@@ -4,22 +4,26 @@ estimators and matching on the difference between two rate estimators.
 .PP
 For a better understanding of the available options, these are all possible
 combinations:
-.\" * Absolute:
+.TP
+Absolute:
 .IP \(bu 4
 \fBrateest\fP \fIoperator\fP \fBrateest-bps\fP
 .IP \(bu 4
 \fBrateest\fP \fIoperator\fP \fBrateest-pps\fP
-.\" * Absolute + Delta:
+.TP
+Absolute + Delta:
 .IP \(bu 4
 (\fBrateest\fP minus \fBrateest-bps1\fP) \fIoperator\fP \fBrateest-bps2\fP
 .IP \(bu 4
 (\fBrateest\fP minus \fBrateest-pps1\fP) \fIoperator\fP \fBrateest-pps2\fP
-.\" * Relative:
+.TP
+Relative:
 .IP \(bu 4
 \fBrateest1\fP \fIoperator\fP \fBrateest2\fP \fBrateest-bps\fP(without rate!)
 .IP \(bu 4
 \fBrateest1\fP \fIoperator\fP \fBrateest2\fP \fBrateest-pps\fP(without rate!)
-.\" * Relative + Delta:
+.TP
+Relative + Delta:
 .IP \(bu 4
 (\fBrateest1\fP minus \fBrateest-bps1\fP) \fIoperator\fP
 (\fBrateest2\fP minus \fBrateest-bps2\fP)
-- 
2.42.0

Re: [PATCH 09/10] man: use .TP for lists in xt_osf man page

[Phil Sutter]

On Thu, Oct 26, 2023 at 10:55:05AM +0200, Jan Engelhardt wrote:
> From: Phil Sutter <phil@nwl.cc>
> 
> Value and description are more clearly set apart. Using .RS/.RE
> pairs also adds proper indenting.
> 
> Signed-off-by: Jan Engelhardt <jengelh@inai.de>
> ---
>  extensions/libxt_osf.man | 34 ++++++++++++++++++++++------------
>  1 file changed, 22 insertions(+), 12 deletions(-)
> 
> diff --git a/extensions/libxt_osf.man b/extensions/libxt_osf.man
> index 8bd35554..85c1a3b4 100644
> --- a/extensions/libxt_osf.man
> +++ b/extensions/libxt_osf.man
> @@ -8,24 +8,34 @@ Match an operating system genre by using a passive fingerprinting.
>  \fB\-\-ttl\fP \fIlevel\fP
>  Do additional TTL checks on the packet to determine the operating system.
>  \fIlevel\fP can be one of the following values:
> -.IP \(bu 4
> -0 - True IP address and fingerprint TTL comparison. This generally works for
> +.RS
> +.TP
> +\fB0\fP

What is wrong with '.B' here? I assumed it is equivalent to the escapes
(which I don't like for making things unreadable in most cases).

Cheers, Phil

Re: [PATCH 07/10] man: grammar fixes to some manpages

[Phil Sutter]

On Thu, Oct 26, 2023 at 10:55:03AM +0200, Jan Engelhardt wrote:
> English generally uses open compounds rather than closed ones;
> fix the excess hyphens in words. Fix a missing dash for the
> portnr option as well.
> 
> Signed-off-by: Jan Engelhardt <jengelh@inai.de>
> ---
>  extensions/libxt_MASQUERADE.man |  2 +-
>  extensions/libxt_helper.man     | 10 +++++-----
>  2 files changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/extensions/libxt_MASQUERADE.man b/extensions/libxt_MASQUERADE.man
> index e2009086..7cc2bb7a 100644
> --- a/extensions/libxt_MASQUERADE.man
> +++ b/extensions/libxt_MASQUERADE.man
> @@ -15,7 +15,7 @@ any established connections are lost anyway).
>  \fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
>  This specifies a range of source ports to use, overriding the default
>  .B SNAT
> -source port-selection heuristics (see above).  This is only valid
> +source port-selection heuristics (see above). This is only valid

Do you miss a dash in:

"default SNAT source port selection heuristics"? I lean towards putting
dashes everywhere, but my language spoils me. ;)

Thanks, Phil

Re: [PATCH 09/10] man: use .TP for lists in xt_osf man page

[Jan Engelhardt]

On Thursday 2023-10-26 14:26, Phil Sutter wrote:
>> @@ -8,24 +8,34 @@ Match an operating system genre by using a passive fingerprinting.
>>  \fB\-\-ttl\fP \fIlevel\fP
>>  Do additional TTL checks on the packet to determine the operating system.
>>  \fIlevel\fP can be one of the following values:
>> -.IP \(bu 4
>> -0 - True IP address and fingerprint TTL comparison. This generally works for
>> +.RS
>> +.TP
>> +\fB0\fP
>
>What is wrong with '.B' here? I assumed it is equivalent to the escapes
>(which I don't like for making things unreadable in most cases).

One can make lots of arguments for both sides.

* You cannot mix certain commands. This for example cannot be
  converted to use .B syntax as far as my understanding of roff
  syntax goes:

	.TP
	Some \fBbold\fP keyword
	Explanation what they keyword does

	.TP
	Some
	.B bold
	keyword but oops we are already in the explanation

* Desire for consistent markup across entire documentation;
  since we cannot use .B reliably, \fB offered to take the
  place and so almost all the mantext in iptables uses \fB.

* .B (and commands like it) bloat the line count if you have a lot of
  words to markup, and we certainly do in e.g. the "Synopsis"
  sections.

* \(en could be changed to \[en] or to the Unicode character
  directly. But the groff manpage has ample warnings:

  """these groff extensions are presented using its special character
  form \[]"""

  """Some of these code points are used by groff for internal
  purposes, which is one reason it does not support UTF‐8
  natively."""

  I need to revise the \[-] patch perhaps based on what I just
  learned.

That said, it's 2023. People _should_ be having a syntax-highlighting
editor, and I don't mean it needs to have fancy colors. Just set
escape codes apart (brighten or dimming, whichever is your thing),
e.g. https://paste.opensuse.org/pastes/b593dd7ee4db .

Re: [PATCH 07/10] man: grammar fixes to some manpages

[Jan Engelhardt]

On Thursday 2023-10-26 14:53, Phil Sutter wrote:
>> diff --git a/extensions/libxt_MASQUERADE.man b/extensions/libxt_MASQUERADE.man
>> index e2009086..7cc2bb7a 100644
>> --- a/extensions/libxt_MASQUERADE.man
>> +++ b/extensions/libxt_MASQUERADE.man
>> @@ -15,7 +15,7 @@ any established connections are lost anyway).
>>  \fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
>>  This specifies a range of source ports to use, overriding the default
>>  .B SNAT
>> -source port-selection heuristics (see above).  This is only valid
>> +source port-selection heuristics (see above). This is only valid
>
>Do you miss a dash in:
>
>"default SNAT source port selection heuristics"? I lean towards putting
>dashes everywhere, but my language spoils me. ;)

Third time's the charm, hopefully?




The following changes since commit ccecb1b90ae2af6e963d27ada8d5fd69d40231c4:

  extensions: string: Adjust description of --to to recent kernel changes (2023-10-25 17:23:57 +0200)

are available in the Git repository at:

  https://github.com/jengelh/iptables 

for you to fetch changes up to 0342b75582b98a175ee804fa636161e91be1d696:

  man: reveal rateest's combination categories (2023-10-26 15:56:24 +0200)

----------------------------------------------------------------
Jan Engelhardt (7):
      man: display number ranges with an en dash
      man: encode minushyphen the way groff/man requires it
      man: encode emdash the way groff/man requires it
      man: encode hyphens the way groff/man requires it
      man: consistent casing of "IPv[46]"
      man: grammar fixes to some manpages
      man: use native bullet point markup

Phil Sutter (2):
      man: use .TP for lists in xt_osf man page
      man: reveal rateest's combination categories

 extensions/libip6t_DNPT.man     |  2 +-
 extensions/libip6t_REJECT.man   |  7 ++++---
 extensions/libip6t_SNPT.man     |  2 +-
 extensions/libipt_REJECT.man    |  7 ++++---
 extensions/libipt_ULOG.man      |  4 ++--
 extensions/libxt_CT.man         |  4 ++--
 extensions/libxt_HMARK.man      |  2 +-
 extensions/libxt_LED.man        |  4 ++--
 extensions/libxt_MASQUERADE.man |  6 +++---
 extensions/libxt_NFLOG.man      |  4 ++--
 extensions/libxt_NFQUEUE.man    | 11 ++++++-----
 extensions/libxt_SET.man        |  4 ++--
 extensions/libxt_SNAT.man       |  2 +-
 extensions/libxt_SYNPROXY.man   |  4 ++--
 extensions/libxt_TRACE.man      |  4 ++--
 extensions/libxt_bpf.man        |  8 ++++----
 extensions/libxt_cgroup.man     |  2 +-
 extensions/libxt_cluster.man    |  8 ++++----
 extensions/libxt_connlabel.man  | 10 +++++-----
 extensions/libxt_connlimit.man  | 31 ++++++++++++++++++-------------
 extensions/libxt_cpu.man        |  2 +-
 extensions/libxt_dscp.man       |  2 +-
 extensions/libxt_hashlimit.man  |  6 +++---
 extensions/libxt_helper.man     | 10 +++++-----
 extensions/libxt_limit.man      |  2 +-
 extensions/libxt_nfacct.man     |  2 +-
 extensions/libxt_osf.man        | 40 +++++++++++++++++++++++++---------------
 extensions/libxt_owner.man      |  2 +-
 extensions/libxt_rateest.man    | 16 ++++++++++------
 extensions/libxt_socket.man     |  2 +-
 extensions/libxt_time.man       |  2 +-
 extensions/libxt_u32.man        | 16 ++++++++--------
 iptables/ebtables-nft.8         | 22 +++++++++++-----------
 33 files changed, 136 insertions(+), 114 deletions(-)

Re: [PATCH 07/10] man: grammar fixes to some manpages

[Phil Sutter]

On Thu, Oct 26, 2023 at 05:10:07PM +0200, Jan Engelhardt wrote:
> On Thursday 2023-10-26 14:53, Phil Sutter wrote:
> >> diff --git a/extensions/libxt_MASQUERADE.man b/extensions/libxt_MASQUERADE.man
> >> index e2009086..7cc2bb7a 100644
> >> --- a/extensions/libxt_MASQUERADE.man
> >> +++ b/extensions/libxt_MASQUERADE.man
> >> @@ -15,7 +15,7 @@ any established connections are lost anyway).
> >>  \fB\-\-to\-ports\fP \fIport\fP[\fB\-\fP\fIport\fP]
> >>  This specifies a range of source ports to use, overriding the default
> >>  .B SNAT
> >> -source port-selection heuristics (see above).  This is only valid
> >> +source port-selection heuristics (see above). This is only valid
> >
> >Do you miss a dash in:
> >
> >"default SNAT source port selection heuristics"? I lean towards putting
> >dashes everywhere, but my language spoils me. ;)
> 
> Third time's the charm, hopefully?

Did you intentionally revert from '\[-]' back to '\-' in math formulae?
Apart from that, your updated series looks good to me.

Thanks, Phil